Not all viruses are successful, however much they try..

Sophos Press Release

The vast majority of viruses fail to spread successfully in the wild, and yet some of them still manage to interest customers and the media.

A recent example of this is W32/Duni-A. At the time of writing Sophos technical support has received no reports from any customers infected by this worm, but the curious lengths the virus writer went to in an attempt to encourage users to double click on the attachment have raised many eyebrows.

The virus spreads itself via email using a variety of Spanish language phrases and filenames. The fact that it communicates in Spanish means that it instantly becomes less likely to spread in communities and organisations where Spanish is not normally used. Unlike, for instance, the W32/Sircam worm it is not a virus which can determine the language of the computer it is running on and switch between Spanish and English at will.

The author of W32/Duni-A has, however, used some other tricks in an attempt to spread his creation further.

For instance, the worm sends itself in the form of a .CPL (Control Panel Extension) file. Many users may not realise that .CPL files are executable code and should be treated with the same suspicion as, for instance, .EXE files.

Furthermore, W32/Duni-A uses the commonly encountered psychological technique of luring the user into double-clicking on the attachment by suggesting the file is humorous, titillating, related to an internet security problem or intended for the morbidly curious.

Examples include that the attachment claims to contain pictures of victims of Jack The Ripper and Charles Manson, details of the latest virus hoaxes and that Osama Bin Laden is president of FIFA.

Finally, the worm also tries to use the KaZaA file exchange network to spread itself, suggesting amongst other choices that it might be pornographic material related to Britney Spears and David Beckham, cracks for anti-virus software, hardcore sex movies, or desktop themes related to the movie Spider-Man.

"This worm shows that, despite their best efforts at psychological subterfuge, the majority of viruses do not spread successfully in the wild," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Although this worm contains material which may make it memorable it does not present a threat to those who practise safe computing and keep their anti-virus software up-to-date. Users should always be suspicious of unsolicited email attachments and be wary of downloading unknown executable content via the internet"

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at